CN109327433B

Movatterモバイル変換

Info

Publication number: CN109327433B
Application number: CN201811018588.8A
Authority: CN
Inventors: 段湛洋; 舒虹鑫
Original assignee: Beijing Zhiyou Wang'an Technology Co ltd
Current assignee: Beijing Zhiyou Wang'an Technology Co ltd
Priority date: 2018-09-03
Filing date: 2018-09-03
Publication date: 2022-05-17
Anticipated expiration: 2038-09-03
Also published as: CN109327433A

Abstract

The embodiment of the invention discloses a threat perception method based on operation scene analysis, which is based on a system comprising at least one client and a server; the method comprises the following steps: the method comprises the steps that a server receives running data, application matching result data and/or control triggering data uploaded by a client, analyzes the running data, the application matching result data and/or the control triggering data, determines whether a preset running scene matched with the running data, the application matching result data and/or the control triggering data exists or not, takes the matched running scene as a target running scene, determines a target execution strategy corresponding to the target running scene, and issues a target execution instruction contained in the target execution strategy to the client through an operation auxiliary system; and after receiving the target execution instruction, the client executes the response operation contained in the target execution instruction. By adopting the method and the device, the identification efficiency of the potential safety hazard of the application program in the using process can be improved, and the defense capability to unknown threats can be improved.

Description

Threat perception method and system based on operation scene analysis

Technical Field

The invention relates to the technical field of big data and the technical field of terminal safety, in particular to a threat perception method and a threat perception system based on operation scene analysis.

Background

In the prior art, monitoring of potential safety hazards in the use process of an application program only stays on fixed data statistics, application capability of a solution is lacked, and when the application program has the potential safety hazards, a better processing mode is not provided for a while except for an updated version. For an application program developer, how to predict potential safety hazards in advance and make countermeasures in advance can improve the identification of the potential safety hazards, improve the use experience of a user in the use process and improve the probability of the potential safety hazards of the application program developer in the development process of the application program.

Disclosure of Invention

Based on this, in order to solve the technical problem that effective and predictive identification cannot be performed on potential safety hazards in the using process of an application program in the traditional technology, a threat perception method based on operation scene analysis is particularly provided.

A threat perception method based on operation scene analysis is based on a threat perception system comprising at least one client and a server connected with the at least one client, wherein a target application is installed on the at least one client;

the method comprises the following steps:

the server receives the running data, the application matching result data and/or the control triggering data uploaded by the at least one client;

the server analyzes the running data, the application matching result data and/or the control triggering data, determines whether a preset running scene matched with the running data, the application matching result data and/or the control triggering data exists according to a preset running scene setting rule, and if the preset running scene exists, takes the matched running scene as a target running scene;

the server determines a target execution strategy corresponding to the target operation scene, and issues a target execution instruction contained in the target execution strategy to the client through an operation auxiliary system connected with the server;

after receiving the target execution instruction, the client executes response operation contained in the target execution instruction, wherein the response operation comprises a response mode, response duration and/or response content.

Optionally, in one embodiment, after the server analyzes the operation data, the application matching result data, and/or the control trigger data, the method further includes:

the server judges analysis result data obtained by analyzing the running data, the application matching result data and/or the control triggering data, and determines a storage scheme corresponding to the analysis result data, wherein the storage scheme comprises a target storage mode and a target storage area;

and storing the analysis result data into a storage area corresponding to the target storage area according to the target storage mode.

Optionally, in one embodiment, after storing the analysis result data in the storage area corresponding to the target storage area according to the target storage manner, the method further includes:

after receiving a report generation instruction, the server reads the analysis result data stored in the target storage area, and generates a corresponding threat perception report according to the read analysis result data and a preset application program threat identification rule, wherein the threat perception report is a threat perception report.

Optionally, in an embodiment, before the server receives the running data, the application matching result data, and/or the control trigger data uploaded by the at least one client, the method further includes:

after the client runs the target application, the client acquires running data on the client, wherein the running data comprises at least one of but is not limited to a device identification code, a device type, an operating system, an operator, a networking mode, an IP address, attack behavior data and the like;

and/or the client acquires a preset monitoring application list from a server, acquires an installed application program list of the client, matches the installed application program list with the monitoring application list, and sends application matching result data to the server;

the client acquires a preset monitoring control list corresponding to the target application from the server, monitors control trigger information in the client according to control information contained in the monitoring control list, acquires control trigger data corresponding to the monitoring control list and sends the control trigger data to the server.

Optionally, in one embodiment, the monitoring control triggering information in the client according to the control information included in the monitoring control list further includes:

and the client side triggers data by monitoring the controls triggered in the client side and related to the controls contained in the monitoring control list.

Optionally, in one embodiment, the method further includes:

displaying a control visual interface corresponding to the preset monitoring control list on the server;

the method comprises the following steps that after the client side obtains a preset monitoring application list from a server, obtains an installed application program list of the client side, matches the installed application program list with the monitoring application list, and sends application matching result data to the server, the method also comprises the following steps:

and the server updates the displayed control visual interface according to the received application matching result data.

Optionally, in one embodiment, the target execution instruction includes a response mode including a pop-up prompt, a voice prompt, a vibration prompt, and/or a forced exit from the target application.

Optionally, in one embodiment, the analyzing, by the server, the running data, the application matching result data, and/or the control trigger data, and determining whether a preset running scenario matching the running data, the application matching result data, and/or the control trigger data exists according to a preset running scenario setting rule, further includes:

the server classifies the running data, the application matching result data and/or the control triggering data, extracts characteristic data in the running data, the application matching result data and/or the control triggering data, and classifies the running data, the application matching result data and/or the control triggering data according to the characteristic data in a preset data classification mode;

and searching the operation scene corresponding to the operation data, the application matching result data and/or the control triggering data as a target operation scene according to the corresponding relation between the operation scene and the data in a preset operation scene setting rule.

Optionally, in an embodiment, after the server receives the running data, the application matching result data, and/or the control trigger data uploaded by the at least one client, the method further includes:

the server collects log files of the running data, the application matching result data and/or the control triggering data uploaded by the client; monitoring the log files collected by the server through logs, and transmitting the log files to a big data analysis component;

the server analyzes the operation data, the application matching result data and/or the control triggering data, and further comprises:

and the server analyzes the running data, the application matching result data and/or the control triggering data through the big data analysis component.

In addition, in order to solve the technical problem that the existing potential safety hazards cannot be effectively and predictably identified in the application program using process in the traditional technology, a threat perception system based on operation scene analysis is further provided.

A threat awareness system based on running scene analysis comprises at least one client and a server connected with the at least one client, wherein a target application is installed on the at least one client;

the server is used for receiving the running data, the application matching result data and/or the control triggering data uploaded by the at least one client;

the server is used for analyzing the running data, the application matching result data and/or the control triggering data, determining whether a preset running scene matched with the running data, the application matching result data and/or the control triggering data exists or not according to a preset running scene setting rule, and if the preset running scene exists, taking the matched running scene as a target running scene;

the server is used for determining a target execution strategy corresponding to the target operation scene, and the operation auxiliary system connected with the server issues a target execution instruction contained in the target execution strategy to the client;

the client is used for executing response operation contained in the target execution instruction after receiving the target execution instruction, wherein the response operation comprises a response mode, response time length and/or response content.

The embodiment of the invention has the following beneficial effects:

after the threat perception method and the system based on the operation scene analysis are adopted, a program is embedded in an application program, after the application program is started in a client, basic data, attack event data, data related to the operation or installed application program, control triggering condition and other related data on the client are obtained according to the setting of a server, and the obtained data are uploaded to the server; the server analyzes the received data, determines an operation scene which is corresponding to the data uploaded by the client and possibly has potential safety hazards, and issues an instruction to the client according to a preset response strategy corresponding to the operation scene, so that the client responds according to the response strategy, and obtains and processes the potential safety hazards in advance; and the server stores the data uploaded by the client and the analysis result, and analyzes the potential safety hazard of the application program according to the stored data in the subsequent process. That is to say, in this embodiment, the data uploaded by the client is subjected to big data analysis in the server, so that the identification capability and the prediction capability of the potential safety hazard in the application program using process are improved, the handling is done in advance, the probability of the potential safety hazard in the application program developing process is reduced, and the user experience is improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Wherein:

FIG. 1 is a schematic diagram of the components of a threat awareness system in one embodiment;

FIG. 2 is a schematic flow chart diagram of a threat awareness method based on operational scenario analysis in one embodiment;

FIG. 3 is a schematic diagram of data interaction implemented by a threat awareness method based on operational scenario analysis in an embodiment;

FIG. 4 is a diagram illustrating the structure of a big data component in one embodiment;

FIG. 5 is a diagram illustrating a database structure according to an embodiment.

Detailed Description

In order to facilitate understanding of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

In particular, in the present embodiment, a threat awareness method and system based on runtime scenario analysis is proposed, wherein the implementation of the method may rely on a computer program that is executable on a computer system based on the von neumann architecture. The computer system may be a device such as a smart phone, a tablet computer, a personal computer, etc. running the computer program.

It should be noted that, in this embodiment, the implementation of the threat awareness method based on the operation scene analysis is based on a threat awareness system including at least one client and a server connected to the at least one client as shown in fig. 1, where a target application is installed on each client, and the implementation of the method and the system is based on an application program corresponding to the target application. For example, the computer program based on the threat awareness method based on the operation scenario analysis is embedded in an application program corresponding to the target application, and when the target application runs, the computer program runs to implement a corresponding function. And at the server side, a computer program corresponding to the threat perception method based on the operation scene analysis is integrated and is used for realizing the threat perception method based on the operation scene analysis in a matching way.

Specifically, as shown in fig. 2, the threat awareness method based on the operation scenario analysis is specifically shown in fig. 2. That is, the method is based on data interaction between the server and the client and command execution.

Step S1: the client acquires running data, application matching result data and/or control triggering data;

step S2: the client sends the collected running data, the application matching result data and/or the control triggering data to the server;

step S3: the server analyzes the running data, the application matching result data and/or the control triggering data;

step S4: the server determines whether a preset operation scene matched with the operation data, the application matching result data and/or the control triggering data exists or not according to a preset operation scene setting rule, and if the preset operation scene exists, the matched operation scene is used as a target operation scene;

step S5: the server determines a target execution strategy corresponding to a target operation scene;

step S6: the server issues a target execution instruction contained in a target execution strategy to the client through the connected operation auxiliary system;

step S7: the client executes the response operation contained in the target execution instruction.

When the client runs the target application, or in the case that the user opens the target application on the client, the execution of threat awareness is triggered because the opening and running of the target application. In this embodiment, a user first needs to perform relevant configuration in the system, for example, which data should be collected by the client, a monitoring application list that needs to be monitored, a monitoring control list corresponding to a control that needs to be monitored in the running process of the target application, and the like.

After the target application is started in the client, the client acquires running data, application matching result data and/or control triggering data corresponding to the running of the client and the target application and sends the running data, the application matching result data and/or the control triggering data to the server for further data analysis and threat perception.

In step S1, the process of collecting the operation data, the application matching result data, and/or the control trigger data by the client is completed in the process of operating the target application in the client.

In one particular process, the operational data is collected as follows: after the client runs the target application, the client obtains running data on the client, where the running data includes at least one of a device identifier, a device type, an operating system, an operator, a networking mode, an IP address, and/or attack behavior data, and the running data is not limited to the device identifier, the device type, the operating system, the operator, the networking mode, the IP address, and/or the attack behavior data mentioned above, and may also include other data on the client.

The operation data refers to corresponding basic data information on the client, such as a device identification code (device ID), a device type (or a device type model), an operating system, an operator (operator identification), whether jail is broken, a networking mode (WIFI, a cellular network, and the like), an IP address, and the like, and also includes information related to whether the client has attack behavior data and the like (for example, whether an attack event exists, an attack type corresponding to the detected attack event, and the like). It should be noted that what specific data combination the operation data is preset by the server, that is, the user is required to preset the attribute items specifically included in the operation data in the server.

In addition, data such as a device identification code (device ID), a device type (or a device type model), an operating system, an operator (operator identifier), whether to break a prison, a networking mode (WIFI, a cellular network, and the like), an IP address, and the like are performed after the client starts a target application (APP1), and are one-time operation; but the attack behavior data is a process of continuously detecting the client, starting after the attack event is detected, and executing data acquisition and uploading.

In one specific process, the acquisition of application matching result data is as follows: the method comprises the steps that a client side obtains a preset monitoring application list from a server, obtains an installed application program list of the client side, matches the installed application program list with the monitoring application list, and sends application matching result data to the server.

A monitoring application list is set on the server, where the application program included in the monitoring application list is another application program that may affect the current application APP1 or should be monitored, or is referred to as a blacklist application list, and is set by a developer corresponding to the target application. After the client opens the APP1, the monitoring application list is obtained from the server through the communication connection between the client and the server. And then acquiring all current installed application program lists of the client, determining whether the applications in the blacklist application lists exist in the installed application programs, and sending corresponding results to a server as application matching result data. In another optional embodiment, whether a matched application program exists in the blacklisted application list in all application programs currently operated by the client may also be obtained and sent to the server as application matching result data.

In the specific application program matching process, the blacklist application list comprises an application name, an application unique identifier or a package name corresponding to the application, and the application name, the application unique identifier/package name, the application name and/or the like of the installed application are compared, so that whether the matched application program exists or not is determined, and application matching result data is generated according to the application matching result data and uploaded to the server.

In a specific process, the control triggers the acquisition of data as follows: the client acquires a preset monitoring control list corresponding to the target application from the server, monitors control trigger information in the client according to control information contained in the monitoring control list, acquires control trigger data corresponding to the monitoring control list and sends the control trigger data to the server.

The monitoring control list is the control to be monitored, which is set at the server side, for example, all the controls that may be triggered during the running of the target application APP 1. After the client opens the target application APP1, the client acquires the monitoring control list from the server, and monitors the control triggering condition of the client according to all control names (control IDs) and the like contained in the monitoring control list. Specifically, the client monitors control information contained in the monitoring control list through the background, acquires corresponding control trigger data, wherein the control trigger data comprise a triggered control name, a control ID, control trigger time, interval time between two triggers, trigger frequency and the like, and sends the acquired control trigger data to the server in real time or periodically.

Further, in the process of monitoring the control by the client, the control trigger data related to the control included in the monitoring control list and triggered by the client is monitored, wherein the monitoring of the control trigger can be monitored by a hook, and the monitoring of the control trigger information by adopting a hook technology is to adapt to various machine types and corresponding application scenarios.

After the client uploads the data to the server, the server receives and stores all the received data uploaded by the client. And then classifying, mining, counting and analyzing the data to determine whether the current client has potential safety hazards. Specifically, the potential safety hazard is judged whether to be matched with a preset operation scene during uploading through the client, for example, whether to be matched with a preset login abnormal scene, and the like. The preset operation scene is preset in the server, wherein the preset operation scene comprises the corresponding relation between the operation scene and control information, operation data, application information and the like. That is to say, after the server receives the running data, the application matching result data, and the control trigger information uploaded by the client, the server determines the running scene corresponding to the data by analyzing the received data.

Generally, except for a normal operation scenario, other operation scenarios all correspond to different operations that need to be performed by a client or a server. That is, each operation scenario corresponds to a different response operation, and the response operation includes both the client-side and the server-side. After the target operation scenario is determined, an execution policy corresponding to the target operation scenario may be determined, where the execution policy includes a response operation that the client should perform, where the response operation includes a response mode, a response duration, and/or response content, for example, a pop-up window prompt, a voice prompt, a vibration prompt, and/or a forced exit of the target application, and of course, is not limited to the response mode given above.

For example, in a specific embodiment, the data uploaded by the client is determined to be an abnormal log-in operation scenario, in order to avoid the user security from being affected, a pop-up prompt may be displayed on the client, and the application may be forcibly exited after 3 seconds, so as to avoid further loss.

Specifically, the process of analyzing and determining the matched operation scene by the server according to the received operation data, the application matching result data, and/or the control trigger data may specifically be: the server classifies the running data, the application matching result data and/or the control triggering data, extracts characteristic data in the running data, the application matching result data and/or the control triggering data, and classifies the running data, the application matching result data and/or the control triggering data according to the characteristic data in a preset data classification mode; and searching the operation scene corresponding to the operation data, the application matching result data and/or the control triggering data as a target operation scene according to the corresponding relation between the operation scene and the data in a preset operation scene setting rule.

As shown in fig. 4, the server is a process of analyzing and determining a matched operation scenario according to the received operation data, application matching result data, and/or control trigger data, and the process may be completed by a big data component; specifically, the flash monitors data uploaded by a server receiving client, and triggers other modules to process the data when new data or log files are monitored. In the big data assembly, huge data are processed, classified, mined and analyzed through a data warehouse tool, a data engine, a relational database, a distributed file system and the like, so that the data uploaded by a client side are used to the maximum extent, and the data value of the data after deep mining of the water chestnut cake is improved.

In another embodiment, the data collected by the user in the process of using the target application may be used to analyze whether the client has a potential safety hazard currently and remind the user to perform corresponding processing, and the corresponding data may be stored in the server, so that the server may perform further analysis and threat perception according to the analysis result of the data collected by each client.

Specifically, in a specific embodiment, after the server analyzes the operation data, the application matching result data, and/or the control trigger data, the method further includes:

That is to say, for data uploaded to the server by the client, the server not only needs to analyze corresponding data, remind the client according to a matched running scene, and instruct the client to perform corresponding response operation, but also needs to store the data uploaded by the client, and the stored data not only includes the data uploaded by the client, but also includes an analysis result of the data uploaded by the client. For example, in the application scenario shown in fig. 3, the database module includes a plurality of sub-databases, specifically, as shown in fig. 5, the database includes a plurality of sub-databases, for example, a temporary database, a memory database, a permanent database, and the like; and different databases can also correspond to different read-write authorities, and can be specifically set according to the properties of the data stored in the databases.

That is, the data collected by the client and the corresponding data related to the analysis result are stored in the designated database, and can be called and analyzed when the analysis is needed. For example, in the case where it is desired to determine whether a threat exists based on the data, the data may be analyzed according to predetermined rules, and a corresponding unknown, predicted threat exists may be determined and a corresponding threat awareness report may be generated.

Specifically, in an embodiment, after storing the analysis result data in the storage area corresponding to the target storage area according to the target storage manner, the method further includes:

and after receiving a report generation instruction, the server reads the analysis result data stored in the target storage area and generates a corresponding threat perception report according to the read analysis result data and a preset application program threat identification rule.

The server not only stores the data uploaded by the client and the analysis result corresponding to the data, but also stores the data for subsequent analysis. In this embodiment, the object of analysis may be to analyze all data uploaded by a certain client, that is, to generate a corresponding analysis report. In another optional embodiment, the object of analysis may also be to generate an analysis report corresponding to a threat that may exist in the use process of the APP1 for the developer corresponding to the APP1 to correct the version or function and the like corresponding to the APP1, and perform sensing and processing of the threat in advance, for all data corresponding to the target application APP 1.

Generally, the generation of reports for analyzing data is not performed in real time, but is triggered by the input of user instructions or the triggering of periodic instructions (for example, the updating of one report per month), or when the existence of a large threat or safety hazard is sensed during the analysis of large data. Under the condition that the generation of the analysis report is triggered, the analysis is carried out according to the data stored in the database, and a corresponding threat perception report is generated according to a preset report generation rule so as to be referred to in the process of application program development.

Further, in order to facilitate monitoring of the use condition of the target application or monitoring of the relevant condition of threat perception by an application program developer corresponding to the target application APP1, in this embodiment, a corresponding visualization interface is further provided. That is, a corresponding threat-aware presentation interface is presented in the server or a display interface connected to the server, for example, in an alternative embodiment, a statistical interface of control data or a specific data presentation interface in the case that the running scenario matches and instructs the client to perform a corresponding response operation is presented on the interface.

In a specific embodiment, the threat awareness method based on the operation scenario analysis further includes: displaying a control visual interface corresponding to the preset monitoring control list on the server; that is, the server may display the relevant data on the visual interface after receiving the relevant data or analyzing the relevant data. For example, after a client acquires a preset monitoring application list from a server, acquires an installed application list of the client, matches the installed application list with the monitoring application list, and sends application matching result data to the server, the server updates the displayed control visual interface according to the received application matching result data. That is to say, the data analysis and transmission results are updated and displayed in real time, so that the time of judging and deciding the application program by the APP1 development end is shortened, the sensing time facing the potential safety hazard is saved, and zero loss is achieved as much as possible.

In another specific embodiment, as shown in fig. 3, the interaction relationship of data and instructions between various parts in the server and the client is shown.

Specifically, the server collects log files of operation data uploaded by the client, application matching result data and/or control triggering data through the Ngnix reverse proxy server; monitoring log files collected by the Ngnix reverse proxy server through the Flume, and transmitting the log files to a big data analysis component; and the server analyzes the running data, the application matching result data and/or the control triggering data through the big data analysis component. For data analysis, corresponding data are respectively imported into different databases for storage. In the process of analyzing the data, if the client needs to perform corresponding operation, the instruction is issued to the operation auxiliary system, the operation auxiliary system forwards the instruction to the client, and the client responds.

The embodiment of the invention has the following beneficial effects:

after the threat perception method and the system based on the operation scene analysis are adopted, a program is embedded in an application program, after the application program is started in a client, basic data, attack event data, data related to the operation or installed application program, control triggering condition and other related data on the client are obtained according to the setting of a server, and the obtained data are uploaded to the server; the server analyzes the received data, determines an operation scene which is corresponding to the data uploaded by the client and possibly has potential safety hazards, and issues an instruction to the client according to a preset response strategy corresponding to the operation scene, so that the client responds according to the response strategy, and the potential safety hazards are known in advance and processed; and the server stores the data uploaded by the client and the analysis result, and analyzes the potential safety hazard of the application program according to the stored data in the subsequent process. That is to say, in this embodiment, the data uploaded by the client is subjected to big data analysis in the server, so that the identification capability and the prediction capability of the potential safety hazard in the application program using process are improved, the handling is done in advance, the probability of the potential safety hazard in the application program developing process is reduced, and the user experience is improved.

In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable system. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims

1. A threat awareness method based on operation scene analysis is based on a threat awareness system comprising at least one client and a server connected with the at least one client, wherein a target application is installed on the at least one client; characterized in that the method comprises:

after the target application is operated by the client, the client acquires operation data on the client, wherein the operation data comprises at least one of a device identification code, a device type, an operating system, an operator, a networking mode, an IP address and/or attack behavior data;

the client acquires a preset monitoring control list corresponding to the target application from the server, monitors control trigger information in the client according to control information contained in the monitoring control list, acquires control trigger data corresponding to the monitoring control list and sends the control trigger data to the server; the control triggering data at least comprises one of a triggered control name, a control ID, control triggering time, interval time between two times of triggering or triggering frequency;

the server analyzes the running data, the application matching result data and/or the control triggering data, determines whether a preset running scene matched with the running data, the application matching result data and/or the control triggering data exists or not according to a preset running scene setting rule, and if the preset running scene exists, takes the matched running scene as a target running scene; the preset operation scene is preset in the server and comprises a corresponding relation between the operation scene and control information, operation data and application information;

2. The threat awareness method based on operation scenario analysis according to claim 1, wherein after the server analyzes the operation data, the application matching result data, and/or the control trigger data, the method further comprises:

3. The threat awareness method based on the operation scene analysis according to claim 2, wherein after storing the analysis result data in the target storage manner to the storage area corresponding to the target storage area, the method further comprises:

4. The threat awareness method based on operational scenario analysis according to claim 1, wherein the monitoring control trigger information in the client according to the control information included in the monitoring control list further comprises:

5. The operational scenario analysis based threat awareness method according to claim 1, further comprising:

the client acquires a preset monitoring application list from a server, acquires an installed application program list of the client, matches the installed application program list with the monitoring application list, and sends application matching result data to the server, and the method further comprises the following steps:

6. The threat awareness method based on execution scenario analysis according to claim 1, wherein the target execution instruction includes a response mode including a pop-up prompt, a voice prompt, a vibration prompt, and/or a forced exit of a target application.

7. The threat awareness method based on operation scenario analysis according to claim 1, wherein the server analyzes the operation data, the application matching result data, and/or the control trigger data, and determines whether there is a preset operation scenario matching the operation data, the application matching result data, and/or the control trigger data according to a preset operation scenario setting rule, further comprising:

8. The threat awareness method based on operation scenario analysis according to claim 1, wherein after the server receives the operation data, the application matching result data, and/or the control trigger data uploaded by the at least one client, the method further comprises:

the server collects log files of the running data, the application matching result data and/or the control triggering data uploaded by the client; monitoring a log file collected by the server through a log, and transmitting the log file to a big data analysis component;

9. A threat awareness system based on running scene analysis is characterized by comprising at least one client and a server connected with the at least one client, wherein a target application is installed on the at least one client;

the server is used for analyzing the running data, the application matching result data and/or the control triggering data, determining whether a preset running scene matched with the running data, the application matching result data and/or the control triggering data exists or not according to a preset running scene setting rule, and if the preset running scene exists, taking the matched running scene as a target running scene; the preset operation scene is preset in the server and comprises a corresponding relation between the operation scene and control information, operation data and application information;

the server is used for determining a target execution strategy corresponding to the target operation scene and issuing a target execution instruction contained in the target execution strategy to the client through an operation auxiliary system connected with the server;